However Mozilla developers are working around the clock, and there's already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don't know the details yet.

This entry was posted on Thursday, June 19th, 2008 at 12:15 pm and is filed under Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

It might be untimely but I have no doubt that it was, in fact, timed by those who found it to appear on/after Download Day rather than reported during the RC process. I wonder if there's a way to tweak bug bounties so that RC bugs get more $$...

That said, release did flush it out before autoupdate kicked in for the 2.0.x stream, which is nice...

It happens many a times that there are some bugs in the old foundation(reusable modules) of software products which gets exposed when newer software versions are build on it. This case is very common with Windows. When Vista is tested for some attack/security hole , its also found to affecting XP.
Such incidences proves the need of thorough and continuous regression of the foundational classes/reusable modules.

[...] didn't spot this when I wrote my last post, but it seems there's a security alert for FF3 already - hackademix.net: Firefox 3 Untimely Security Advisory - but it also affects FF2 and probably my cautious Javascript settings are enough to stop it [...]

[...] processes, and “reward” reporters, not necessarily with money prizes, which may become dangerous when they feed an anonymous, uncontrolled vulnerability brokerage market. Most of these guys would [...]